forrester whitepaper navigate the future of identity management march22 2012

7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012

1/16

Forrester Researh, I., 60 Aor Par Drive, cambridge, MA 02140 USATe: +1 617.613.6000 | Fax: +1 617.613.5000 | www.orrester.om

Navigate The Future Of Identity AndAccess Management

b Eve Maer, Marh 22. 2012

FOR: Seurit &

Ris Proessioas

key TakeaWays

Fr surt Wt at, entrr Rqur Zr Trut intt

Te pace o enterprise change is aecting how security and risk pros engage with

the developers, users, and business stakeholders they serve. You cant slow thepace, so you need an IAM approach that withstands extreme heterogeneity in your

business inrastructure so that you can support increased competitiveness with

superior security.

Zr Trut intt i a M, Nt a prut

I youre starting rom scratch, you may be tempted to buy your way into Zero

rust with a cloud identity solution, but you rst need to conceive o IAM

unctions such as provisioning, authentication, and authorization as

application program interaces. You can benet by applying this model even to

internal applications and users.

Zr Trut intt Mut Rt on a s intt dt Funtn

In the loosely coupled regime o the cloud, you can expect every aw in role

governance to be magnied. Make your access control hygiene impeccable

through the discipline o protecting inormation consistently with identity context

(PICWIC) beore you expect your Zero rust identity approach to bear ruit.


2/16

2012, Forrester Researh, I. A rights reserved. Uauthorized reprodutio is strit prohibited. Iormatio is based o best avaiaberesoures. Opiios reet judgmet at the time ad are subjet to hage. Forrester, Tehographis, Forrester Wave, RoeView, TehRadar,ad Tota Eoomi Impat are trademars o Forrester Researh, I. A other trademars are the propert o their respetive ompaies. Topurhase reprits o this doumet, pease emai [email protected]. For additioa iormatio, go to www.orrester.om.

FOR SEcURITy & RISk PROFESSIOnAlS

Why Read This RepoRT

Tis report outlines the uture look o Forresters solution or security and risk (S&R) executives working

on building an identity and access management strategy or the extended enterprise. We designed this

report to help you understand and navigate the major business and I trends aecting identity and access

management (IAM) during the next ve years. IAM in 2012 has become a tool not just or security but also

or business agility. Competitive challenges push businesses into the cloud and encourage mobile device use

even without ull-edged access controls in place. Tese trends create pressing provisioning, authentication,

and authorization challenges or S&R proessionals. All the while, security threats and compliancerequirements continue to swell. o help security pros uniy and improve access control across the extended

enterprise, this report recommends applying a Zero rust inormation security model to IAM.

Tabe O cotets

T etn entrr Urnt N

Bttr a Mnmnt

Nw a enrnmnt ht T

Wn of T iaM

intrun Zr Trut intt

a Tr Ru T a Zr Trut

intt

enb Zr Trut intt st B st

WHAT IT MEAnS

Zr Trut intt d Mu Mr Tn

prtt it enb

notes &Resoures

I deveopig this report, Forrester drew

rom oversatios with 10 user ompaies,

vedors, ad experts, iudig eBa, Ituit,

laer 7 Tehoogies, ad Quest Sotware.

Reated Researh Doumets

your Data Protetio Strateg Wi Fai

Without Strog Idetit cotext

Jue 27, 2011

The Ve O Federated Idetit

Jue 3, 2011

no More chew ceters: Itroduig The

Zero Trust Mode O Iormatio Seurit

September 14, 2010

Nt T Futur of intt an aMnmntIAM For The Exteded Eterprise Must Start From Zero Trust

b Eve Maer

with Stephaie Baaouras,Adras cser, Joh kidervag, ad kee Ma

2

2

5

6

MARcH 22, 2012

12

11
http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=BIO2681http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO1762http://www.forrester.com/go?objectid=BIO1960http://www.forrester.com/go?objectid=BIO1960http://www.forrester.com/go?objectid=BIO1762http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO2681http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/


3/16


navigate The Future O Idetit Ad Aess Maagemet 2

2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012

The exTeNded eNTeRpRise URgeNTly Needs BeTTeR access MaNageMeNT

Forrester clients are struggling with an IAM landscape that increasingly crosses enterprise

boundaries. Tey tell us: SaaS apps are making our existing methods o access management useless.

We cant just Kerberize our apps anymore. I we keep on doing security in domains, its pointless.

Forrester denes the extended enterprise as one or which a business unction is rarely, i ever, a

sel-contained workow within the inrastructure confnes o the company. It presents unique IAM

challenges in three dimensions simultaneously (see Figure 1). For example:

Resource sharing with partners is on a knies edge between vital and perilous. Anautomotive manuacturer is expanding its internal enterprise inormation portal to include a

business partner audience, something it wouldnt have considered doing even a year ago but

now needs or business agility. It wants to put in place extra-strict access controls, since most

o its suppliers also deal with most o its competitors. However, it aces a challenge due to itsinability to control suppliers role-provisioning processes.

Security pros perorce pay less attention to cloud apps than apps they control directly. Whenbusiness owners rush to use soware-a-a-service (SaaS) apps or email, expense management,

and more, they sometimes skip over the ne details o security and access control, leaving

security pros out o the conversation. We see some companies synchronizing user accounts to

external apps on a relatively inrequent schedule through insecure le transer protocol (FP)

or relying entirely on ront-door authentication or access to wide swaths o app unctionality.

Organizations can lose all visibility into access events wherever users can access a SaaS-based

business unction through the open Internet rom an unmanaged device or network without

touching home base inrastructure.

NeWly agile eNviRoNMeNTs highlighT The WeakNesses oF Todays iaM

Tree problems typiy the disconnect between traditional IAM and the new extended-

enterprise reality: 1) stumbling blocks in cross-domain user provisioning; 2) weakened control

o authentication and authorization; and 3) siloed IAM approaches to dierent purposes and

populations.


4/16




Figure 1 Te Extended Enterprise Presents IAM Challenges In Tree Dimensions

Source: Forrester Research, Inc.61625

App hosting

and sourcing

App

access channels

User

populations

Apps in private clouds

On-premises enterprise apps

SaaS apps

Employees

Contractors

Partners

Customers

Enterprise computers

Enterprise-issued devices

Personal devices

Public computers

Apps in public clouds

Partner apps

Members

prbm N. 1: cr-dmn Ur prnn stumbn B

Ideally, I should enable all legitimate access by workorce members to SaaS apps and by partners to

internal apps and block all illegitimate access. However, conveying the attributes and entitlements

o joiners, movers, and leavers to remote apps continues to be a sore spot. Te issues include:

Tight coupling to enterprise user stores. SaaS apps oen come prepared to connect directlyto your organizations lightweight directory access protocol (LDAP) or Active Directory (AD)

store. However, this approach becomes complex and adds security and privacy concerns where

it involves multiple or heterogeneous user stores, and it doesnt scale well as the number o SaaS

apps grows. Many times, rms need to work with business partners users whose identities they

dont want to store, since this entails added liability.

Reduced security due to latency when removing authorizations. SaaS and partner appsthat rely on too-inrequent synchronization to obtain authoritative user data tend not to

catch status changes that should have resulted in denying access. Tis need becomes acute or


5/16




sensitive apps accessible to competitors and supply chain partners, as is oen the case in the

automotive and aerospace sectors.

Reduced business agility due to latency when adding authorizations. Dynamism is keyor agility and competitiveness. When a SaaS or partner app reuses access to legitimate new

employees because the apps synchronization process hasnt caught up with reality, its value

diminishes.

Garbage in, garbage out user data. As one large proessional services rm told us, Tecloud has exposed the act that even well-governed companies are not prepared. SaaS apps are

orcing businesses to conront the inadequate quality o the data in their user repositories, no

matter how they convey the data to remote apps. In the loosely coupled regime o the cloud, you

can expect every governance aw to be magnied.

prbm N. 2: snr Tt aw Wn autnttn an autrztn

Inormation workers are driving big bring-your-own-device (BYOD) moves; recent Forrester

research reveals that 57% o North American and European ino workers chose and paid or

their own smartphones.1 Organizations are now beginning to take better advantage o the BYOD

opportunity. One Dutch company exemplies an increasingly common scenario by giving

employees access to its legacy enterprise applications through specialized iPad apps. However,

mobile and other extended-enterprise trends introduce the ollowing challenges:

Mobile use eliminates classic Windows-based authentication options. Organizations

extreme mobile users, typically salespeople and other eld personnel, might never log intoa Windows-based computer. Tis puts Integrated Windows authentication (IWA), desktop-

riendly smartcard readers, and desktop-to-web single sign-on (SSO) ows out o reach.

Organizations authentication strategies must account or the plethora o new login ows in

BYOD environments.2

External apps local authentication options may not sync with organization requirements.Conguring each o your SaaS and partner apps to perorm the types o employee or customer

authentication you would normally require, such as multiactor authentication (MFA) or

risk-based authentication (RBA), ranges rom daunting to impossible. Popular apps such as

salesorce.com may oer integration o various strong authentication methods such as RSA

SecurID tokens, but long-tail apps are likely to oer only passwords.

Its hard to give SaaS apps all the tools they need to make access decisions on your behal.Your internal users have an overabundance o authorization-related attributes, whether in role,

group, or other orm. Sometimes getting the right ones to a SaaS application in the right orm

can be cumbersome and problematic.


6/16




prbm N. 3: iaM s Fr dffrnt pur an putn

Oen, dierent business owners drive the decision-making around IAM unctions or dierent

populations, such as: 1) employees rom various company divisions; 2) business partners; 3)

consumers; and 4) developers o third-party applications that interact with corporate systems.

Tis leads to divergent architectural choices and added complexity. As a VP o I risk or a large

computer systems rm noted simply, Complexity drives risk. Te extended enterprise causes these

scenarios to blend and merge, drawing attention to mismatches in inrastructure that add security

risk and stall agile business moves. For example:

A change in employee status is sometimes a continuum rather than an event. Mergers andacquisitions throw together I organizations that use dierent IAM platorms, leading to

Band-Aid solutions on top o diverse user stores to begin the process o representing a unied

employee base. When its time to part ways, a similar problem arises: Te rm mentioned above

sold a major division in 2004, but because o remaining close business relationships, its IAMsystems overlap in hard-to-manage ways eight years later.

Federation looks very dierent in business settings versus consumer ones. Many mediaand retail companies are moving rapidly to accept social sign-in rom the likes o Facebook

and witter, exempliying identity ederation or marketing and eCommerce purposes.

Although the underlying mechanisms or providing consumer SSO are identical to SaaS and

business-partner SSO, the corporate business owners and the solution providers addressing

these markets tend to diverge radically. As data breaches and password stealing increase,

hardening consumer IAM to levels expected in enterprise I and aligning inrastructure to

reduce complexity look more attractive.

Many SaaS apps cater to businesses and individuals alike, orcing the unifcation issue.Cloud service providers such as Google, Intuit, and salesorce.com work with individuals along

with enterprises and SMBs and must integrate with each others services or mashup scenarios

as well. Organizations interacting with these services using dierent inrastructure or dierent

use cases multiply their costs and security vulnerabilities.

iNTRodUciNg ZeRo TRUsT ideNTiTy

Forresters Zero rust model o inormation security eliminates the idea o distinct trusted internal

networks versus untrusted external networks. It requires security pros to veriy and secure all

resources, limit and strictly enorce access control, and inspect and log all network trafc.3 Tus,

Zero rust reers to an initial stance toward access. What, then, are the goals or a Zero rust

approach to identity? It must:

Center on sensitive applications and data. Organizations perimeters arent going away, buttheyre clearly not doing a good enough job; the Privacy Rights Clearinghouse has identied 542

data breaches rom 2005 through 2011 due to electronic entry by an outside party, malware and

spyware, and only a ew o the aected organizations reported absence o a rewall.4 For Zero


7/16




rust, every protected resource, whether its an older on-premises CRM app or a business SaaS

app that launched last week, must be equally capable o assessing incoming access requests and

treating each one as a potential threat.

Uniy treatment o access channels, populations, and hosting models. Organizationssystems should always use the same robust and reliable mechanisms to determine and track

access. Tey shouldnt go easy on a request or access just because it comes rom a physically

badged-in employee sitting in the cubicle next to the server arm that hosts the app, rather

than an external partner halway around the globe using a newangled mobile device to get

into a SaaS app (see Figure 2).

Prepare or interactions at Internet scale. Google engineer Steve Yegge made waves with a publicrant in late 2011 about Googles ailures in light o his ormer employer Amazons successes. Te

observation at its heart: Amazons success is due to one simple mandate, which begins, All teams

will henceorth expose their data and unctionality through service interaces. 5 Te lesson applies

not just to high-tech companies but also to every organization that wants to unlock the value o

its data and services. Internet scalability enables integration and aggregation o business value but

also points the way to a robust and repeatable approach to access control.

Figure 2 Zero rust Identity Accommodates Mix-And-Match Access Scenarios


Workforce Business partners Consumers and customers

Authoritativeuser store

Provisioning,proofing,self-service

Authentication,session management,

SSO, federation

Authorization,consent,

access control

SaaS appsOrganization appsBusiness partner

apps

Attestation,delegated

administration, audit

End-userpopulations

IAMfunctionality

Protectedresources

Consumer-facing apps

apply ThRee RUles To achieve ZeRo TRUsT ideNTiTy

o achieve Zero rust identity, S&R pros must apply three important rules: 1) plan or both outward

and inward identity propagation; 2) ormalize and robustly protect the interaces or IAM unctions;

and 3) use and advocate standards or IAM interaces. I you stick only to traditional approaches

suitable or the unextended enterprise o the past, you could pay in integration costs, agility,

or regulatory compliance whenever users cross security domain boundaries to use technology

unctions that orm a virtual part o your business.


8/16




Ru N. 1: pn Fr Bt outwr an inwr intt prtn

Zero rust identity supports the goal oidentity statelessness, allowing each app to consume just-

in-time identity data and services coming rom other organizational domains that are authoritative

or them.6 Given the need or bidirectional ow, you can see the classic identity provider (IdP) and

relying party (RP) roles as merely special cases o a generic security token service (SS) (see Figure

3). Tis rule requires a change in mindset, and its not a trivial one. Te ollowing are some business

motivations or this bidirectional ow:

Figure 3 Many Scenarios Require wo-Way Flows O Identity And Access Inormation


Staffuser store

Institutionaluser store

Consumeruser store

Staffuser store

Consumeruser store

For functions internalto the organization

Organization serves as

an identity client ofuser stores

Organization serves asan identity server for

business functions

Internal to the

organization

At externalpartners

Exposed tocustomers

A security token service (STS)

handles token issuance, translation,

and consumption.


9/16




External identities need to be able to knock on an organizations door or access. A largeconsulting rm with a substantial IAM practice observed: Some organizations are on the cusp

o guring out how to address identity in a cloud environment. Everyone comes with identity

inside their house, and moving it outside the house is what were trying to address. Living up

to this goal, a US technology research rm is deliberately exposing its employee identities in a

orm that is usable on both sides o the rewall and is working to accept third-party logins

rom US ederal government contractors who can present a Common Access Card (CAC)

smartcard credential on a dynamic basis.

Business units and partners alike need to integrate at a moments notice. Intuit has oundthat externalized authentication and authorization APIs allow apps rom dierent business

units and third-party partners, such as QuickBooks, FreshBooks, Bill.com, and Expensiy, to be

nearly completely interoperable when it comes to access management, and it nds this ability

to be eective in encouraging customers to use additional services. Its goal is to avoid askingits enterprise architecture (EA) team or its multitenant cloud service providers to do anything

special when its time to integrate a new identity channel, such as a nancial services rm.

Ru N. 2: Frmz an Rbut prtt T intrf Fr iaM Funtn

Many security pros tell us that or years they have exhorted line-o-business developers to stop baking

access management logic into applications. Why is it more important than ever to externalize and

centralize that logic? Its because the only sae prediction about the next application your organization

will deploy, user it will serve, and device or network he or she will use is a Zero rust prediction.

Te secret to making progress is to push identity-as-a-service (IDaaS) to its logical limit intothe realm o the open web platorm.7 Conceive o IAM unctions as ully externalizable application

programming interaces (APIs) that serve client apps in need o access protection (see Figure 4).

aking this step enables your intentions around Rule No. 1 on a technical level.

In oering IAM APIs, your organization becomes, in a sense, an IAM cloud service provider. It

must protect these APIs as it would protect any open web APIs oering core business unctions, and

the IAM services themselves can recursively play a role in this protection, urther uniying your

inrastructure.8 Intuit went through exactly this process by conceiving o and building a central

identity authority, which could be hosted on-premises or as a cloud service. It then built a layer over

all o its services that could test all inbound trafc.

Te three primary IAM APIs we see enabling mix-and-match access scenarios are as ollows:

Authentication. Tis is a centralized service that perorms identication, authentication, andattribute delivery o all users under your authoritative control. It has an open API, which

internal and external apps can call when your user population needs to access them. Tis

API lets your organization unction as an IdP, enabling cross-domain SSO, login session


10/16




management, ederation, social sign-in, and similar use cases. aking an API approach prepares

or access by native mobile apps as well as web apps. Large enterprises can benet rom this API

even in an internal ederation scenario; our computer systems rm ound that getting all o its

apps to use one directory is a $200 million I problem.

Figure 4 Apply Te API Faade Pattern o IAM Functions


API client

Scale-outinfrastructure

IAMinfrastructure

API faade patternApplying the pattern

to IAM functions

IAM API client IAM API client

Web service and app APIsAPIs for authentication,

authorization, provisioning . . .

Back-end apps, web apps, mobile apps . . . Business apps

API client

The business apps

own API determines

access control

granularity

Robustly protect all

interfaces, regardless

of their sourcing

model

Internet Internet

Provisioning. Tis is an open API over your user stores that allows internal and external client

apps to read and write identity inormation as appropriate, including deprovisioning accounts.Tis API enables account synchronization with internal, SaaS, and partner apps when ederation

is not an option, as well as internal provisioning workows that work with your existing

directory or database inrastructure in a loosely coupled way.

Authorization. Tis is a centralized policy decision point (PDP) with an open API thatinternal and external business apps running on your behal can consult beore allowing access

by requesters. Tis API enables business apps to serve as auditable policy enorcement points


11/16




(PEPs) no matter where they are hosted. API management vendor Layer 7 has been nding that,

to the extent that these business apps themselves expose ne-grained eatures through their

APIs, they can support arbitrarily ne-grained access control by this method. Least-privilege

access is an important tenet o Zero rust inormation security.

Ru N. 3: U an at stnr Fr iaM intrf

Te Zero rust identity vision and its open web emphasis play into a larger vision that some,

including our technology research rm rom above, label Enterprise 2.0. Te goal: Couple your

systems as loosely as you can, avoiding dependencies on IWA, AD, LDAP, or Kerberos identity

technologies wherever you can. While enterprises oen employ internal standardization o IAM

APIs as a rst step, they requently report that orcing developers onto an API that the outside world

doesnt use merely delays extended-enterprise benets and orces unnecessary implementation

upgrades. Tereore, the best way to achieve Zero rust identity is to use global standards that

dene well-accepted and loosely coupled messaging around IAM unctions. For the standardization

needs o the three key IAM APIs, we see the ollowing solutions (see Figure 5):

Service Provisioning Markup Language (SPML). Although it never reached pervasivedeployment, this long-established provisioning standard uses a web services approach that is

riendly to service-oriented architecture (SOA) environments.

Simple Cloud Identity Management (SCIM). Tis emerging web-riendly provisioning standardis appealing to cloud service providers and was developed rapidly over the past year and a hal. It

is entering a nal standardization phase now but is already seeing product support rom vendors

such as UnboundID. Using SCIM as a jumping-o point is valuable even as it evolves.

Security Assertion Markup Language (SAML). Tis is the granddaddy o open standards thatenable cross-domain SSO and ederation. It remains popular in enterprise and government

settings or its robustness and time-tested nature.

OpenID Connect. Tis emerging web standard solves or SSO, session management, andidentity claims retrieval.9 You can think o it as a lightweight SAML that enables dynamic B2E,

B2B, and B2C use cases, in a way thats o particular interest to eorts such as the National

Strategy or rusted Identities in Cyberspace (NSIC).10 Its dra specications passed a vote o

the OpenID Foundation membership in early 2012, and interoperability testing among seven

implementers, including Google and eBay, is under way. Using OpenID Connect as a starting

point or integrating with small partners that dont have SAML chops can be valuable.

Extensible Access Control Markup Language (XACML). Tis standard includes anauthorization decision protocol and a ormat or expressing authorization policies. Although

it has not yet seen deployment at the scale o SAML, XACML use is increasing, particularly in

national deense settings.


12/16




OAuth. Tis is an emerging standard or user-authorized access by an API client to a web API.It provides security plumbing similar in purpose to the WS-Security standard or HP Basic

Authentication. It is becoming a key method o protecting APIs including IAM-related APIs

such as SCIM and OpenID Connect to the level required or Zero rust.

User-Managed Access (UMA). Tis emerging web protocol solves or access control by thirdparties to arbitrary protected web resources. Te initial use cases included enabling individual

Web 2.0 users to share calendars, health records, and other data and content with riends, amily,

and organizations. Business-related use cases include enterprise oversight o employees use

o cloud services. You can think o it as a lightweight XACML (without the policy expression

language) that enables loose coupling between authorization decision and enorcement points.11

Figure 5 Standard Protocols Make Zero rust Identity Interactions More Uniorm


Provisioning, proofing,self-service

Authentication, sessionmanagement, SSO, federation

Authorization, consent,access control

IAMfunctionality

EstablishedSOA-friendlystandards

Emergingweb-friendlystandards

eNaBle ZeRo TRUsT ideNTiTy sTep By sTep

Zero rust identity is a model, not a product. I youre starting rom scratch, you may be tempted to

buy your way into Zero rust with a cloud identity solution, but you can benet by applying the

model even to internal applications and users. Follow these our steps to enable and leverage Zero

rust identity in support o a more agile, competitive, and secure organization:

Step 1: Map identity context to your data. Remember: Garbage in, garbage out. Apply the

practices o protecting inormation consistently with identity context (PICWIC) to ensure thatyour access control hygiene is impeccable beore you expect your Zero rust identity approach

to bear ruit.12

Step 2: Federation-enable your organization and its applications. I you havent yet, becomean IdP or your workorce so that youre ready or SSO into business partner and SaaS apps, and

plot a strategy or converting your business applications into RPs to leverage your new IdP. A


13/16




large proessional services rm has seen ederation enablement pay o even or companies that

havent yet taken the SSO plunge with a single strategic partner or cloud app. Tis is because

competitive pressures inevitably demand quick SSO action, and you want to be ready with

an enterprise-grade solution rather than a quick-and-dirty one that suers rom security andperormance holes.

Step 3: Create communities o developers to increase the attraction o your IAM services.Preparing your IAM services or loose coupling provides a means o outsourcing security logic,

but creating a developer community enables you to promote this goal actively. Tis can take

a lightweight orm, such as creating and evangelizing soware development kits and sample

hello world code, or it can involve a ormal developer orum and portal, typical or an external

developer audience. API management vendor Layer 7 advises orming an internal community

rst as a test audience; its own API Portal product is deployed in an inward-acing ashion more

than 50% o the time. Focus rst on enabling developers to turn apps into RPs.

Step 4: Push the edge o the envelope in externalizing authorization. Elderly on-premisesapps tend to control a great deal o their own security logic, delivering the desired ne-grained

authorization but in a manner that quickly becomes unsustainable in an extended enterprise. A

greeneld is your best chance o building better habits: Leverage your developer community to

promote outsourcing authorization decisions rom new apps to a centralized API. When you

just cant wait or the natural end o a legacy apps lie, build a aade that handles translation in

and out on the basis o your PICWIC data classication.

W H A T I T M E A N S

ZeRo TRUsT ideNTiTy does MUch MoRe ThaN pRoTecT iT eNaBles

Steve Yegges rant uses snark to highlight the seeming contradiction between accessibility open

interaces and security: Accessibility is actually more important than Security because dialing

Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get

you a reasonably successul product such as the PlayStation Network. As a wise person observed,

however, we have brakes on our cars not so that we can stop, but so that we can go ast.13 o

extended enterprises, organizational domains become a secondary consideration and so their

IAM strategies must respond in kind.

Zero rust identity does more, however. Moving to the cloud and enabling BYOD entail cedingcontrol. Zero rust identity brings it back, in ner granularity. I your organization cant transition

to this model, it wont be able to apportion control and responsibility to the correct party,

whether that party is itsel, an employee, a business partner, or an external service provider.


14/16




eNdNoTes

1 Hal o ino workers are using three or more devices, and many report signicant inuence on and personal

spending or their devices. See the February 22, 2012, Ino Workers Using Mobile And Personal Devices

For Work Will ransorm Personal ech Markets report.

2 Te strong authentication landscape has undergone tremendous churn in recent years as new mobile-

ueled technologies have come online and as RSA, the premier vendor o hardware one-time password

(OP) tokens, experienced a breach. See the February 3, 2012, echRadar For Security Pros: Strong

Authentication, Q1 2012 report.

3 I the current trust model is broken, how do we x it? It requires a new way o thinking. Te way we x the

old trust model is we begin at the beginning and look or a new trust model. See the September 14, 2010,

No More Chewy Centers: Introducing he Zero rust Model O Inormation Security report. Once upon

a time, security and risk proessionals had dened borders to protect a limited and highly restricted user

community and a visible set o threats, such as worms and viruses. oday, our organizations unctional

network has extended well outside o our controllable borders. See the August 5, 2011, Applying Zero rust

o he Extended Enterprise report.

4 Source: Te Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach/new).

5 Te Amazon mandate in ull, as related by Yegge, was as ollows: 1) All teams will henceorth expose their

data and unctionality through service interaces. 2) eams must communicate with each other through

these interaces. 3) Tere will be no other orm o interprocess communication allowed: no direct linking,

no direct reads o another teams data store, no shared-memory model, no back-doors whatsoever. Te

only communication allowed is via service interace calls over the network. 4) It doesnt matter what

technology they use. HP, Corba, Pubsub, custom protocols doesnt matter. Bezos doesnt care. 5) All

service interaces, without exception, must be designed rom the ground up to be externalizable. Tat is tosay, the team must plan and design to be able to expose the interace to developers in the outside world. No

exceptions. 6) Anyone who doesnt do this will be red. Te rant is worth reading in ull. Source: Google

Plus (https://plus.google.com/112678702228711889851/posts/eVeouesvaVX).

6 Federated identity solutions enable identity statelessness, which we dene as ollows: networked services

achieving access control and personalization goals by consuming just-in-time identity data and services

rom authoritative sources living in other organizational domains, at the moment users and applications

approach, removing the need or long-term identity data replication. See the June 3, 2011, he Venn O

Federated Identity report.

7 IDaaS architectures provide discrete but complementary and coordinating services that enable applications

and portals to perorm identity and access management unctions. Tese services can work in a standalone

ashion or be chained and orchestrated in the manner o an enterprise service bus. See the April 2, 2008,

Identity-Management-As-A-Service report. Open Web developers tend to use a variation o the aade

pattern or their applications but rene the pattern to ocus on standard web ormats and protocols

and services delivered via the Web so we reer to it as the open Web aade. See the January 24, 2012,

Embracing he Open Web: Web echnologies You Need o Engage Your Customers, And Much More

report.
http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES43824http://www.forrester.com/go?objectid=RES61294http://www.forrester.com/go?objectid=RES61294http://www.forrester.com/go?objectid=RES43824http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES60567


15/16




8 When it comes to web-based APIs, security proessionals are coming under pressure in opposite directions:

1) to reduce the number o moving security parts, and 2) to manage the exposure o more APIs to a wider

range o access, more dynamically. See the July 13, 2011, Protecting Enterprise APIs With A Light ouch

report.

9 Te new suite o OpenID Connect and JavaScript Object Notation (JSON) Web oken specications brings

another round o standards disruption but also promises a no-compromises approach to highly distributed

identity and access management (IAM). See the October 6, 2011, OpenID Connect Heralds he Identity

Singularity report.

10 More inormation about the NSCI program is available at Te National Strategy or rusted Identities in

Cyberspaces website: http://www.nist.gov/nstic/.

11 Disclosure: Te author o this report ounded the UMA eort and serves as the chair o the UMA working

group at the Kantara Initiative.

12 Te identity lie cycle contains our critical stages where you must set up and enorce epolicies regarding

how you grant and revoke users (employees and business partners) access to inormation. Te

undamental premise o PICWIC is that you should assign data to business owners at all times. See the June

27, Your Data Protection Strategy Will Fail Without Strong Identity Context report.

13 Te wise person was Sara Gates. Source: Sara Gates, Accelerate Without Fear, From Here to Identity,

November 3, 2005 (https://blogs.oracle.com/saragates/entry/accelerate_without_ear).
http://www.forrester.com/go?objectid=RES59162http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES59162


16/16

Forrester Researh, I. (nasdaq: FORR) is a idepedet researh ompa that provides pragmati ad orward-thiig advie to

goba eaders i busiess ad tehoog. Forrester wors with proessioas i 19 e roes at major ompaies providig proprietar

researh, ustomer isight, osutig, evets, ad peer-to-peer exeutive programs. For more tha 28 ears, Forrester has bee maig

Forrester Focuses On

Security & Risk Professionals

To hep our irm apitaize o ew busiess opportuities sae,

ou must esure proper goverae oversight to maage ris whie

optimizig seurit proesses ad tehoogies or uture exibiit.

Forresters subjet-matter expertise ad deep uderstadig o ourroe wi hep ou reate orward-thiig strategies; weigh opportuit

agaist ris; justi deisios; ad optimize our idividua, team, ad

orporate perormae.

SEAN RHodES, client persona representing Security & Risk Professionals

About Forrester

A goba researh ad advisor frm, Forrester ispires eaders,

iorms better deisios, ad heps the words top ompaies tur

the ompexit o hage ito busiess advatage. Our researh-

based isight ad objetive advie eabe IT proessioas to

ead more suessu withi IT ad exted their impat beod

the traditioa IT orgaizatio. Taiored to our idividua roe, our

resoures aow ou to ous o importat busiess issues

margi, speed, growth frst, tehoog seod.

foR MoRE INfoRMATIoN

o nd out how Forrester Research can help you be successul every day, please

contact the ofce nearest you, or visit us at www.orrester.com, For a complete list

o worldwide locations, visit www.orrester.com/about.

ClIENT SuppoRT

For inormation on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected] . We oer

quantity discounts and special pricing or academic and nonprot institutions.
mailto:[email protected]:[email protected]://www.forrester.com/

forrester whitepaper navigate the future of identity management march22 2012

Documents